A new report issued by the Office of Inspector General's Office says the Federal Emergency Management Agency (FEMA) inappropriately shared personal addresses and the banking information for more than 2.3 million disaster survivors in the United States.
The personal information came from disaster survivors who used FEMA's Transitional Sheltering Assistance (TSA) program, which included those victims from the 2017 California wildfires and Hurricanes Harvey, Irma and Maria, the report says.
The 'major privacy incident' occurred because the agency "did not ensure it shared with the contractor only the data elements the contractor requires to perform its official duties administering the TSA program."
"In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary," said FEMA Press Secretary Lizzie Litzow in a statement about the incident.
"Since discovery of this issue, FEMA has taken aggressive measures to correct this error," Litzow added. "FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised."
According to the OIG report dated March 15, FEMA provided more than 20 unnecessary points of data from survivors participating in the TSA program. Information released by the breach included an applicant's, Street address, city, zip code, the name of the financial institution the applicant used and Electronic Funds Transfer Number and Bank Transit Number.
The OIG report goes on to state that the people affected by the data breach are now at an increased risk of identity theft and fraud. FEMA did not identify the contractor.
Litzow also said the agency was working with the contractor to remove the extra data from its system. FEMA also instructed contracted staff to complete additional DHS privacy training.
Photo: Getty Images